linux-stable.git/drivers/staging/android/binder.c, branch v3.4.76 Linux kernel stable tree Staging: android: binder: Allow using highmem for binder buffers 2012-10-31T17:02:58+00:00 Arve Hjønnevåg arve@android.com 2012-10-16T22:29:55+00:00 7b76336ec39f1af832ebd29add93cfe21e839581 commit 585650dcec88e704a19bb226a34b6a7166111623 upstream. The default kernel mapping for the pages allocated for the binder buffers is never used. Set the __GFP_HIGHMEM flag when allocating these pages so we don't needlessly use low memory pages that may be required elsewhere. Signed-off-by: Arve Hjønnevåg <arve@android.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit 585650dcec88e704a19bb226a34b6a7166111623 upstream.

The default kernel mapping for the pages allocated for the binder
buffers is never used. Set the __GFP_HIGHMEM flag when allocating
these pages so we don't needlessly use low memory pages that may
be required elsewhere.

Signed-off-by: Arve Hjønnevåg <arve@android.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Staging: android: binder: Fix memory leak on thread/process exit 2012-10-31T17:02:57+00:00 Arve Hjønnevåg arve@android.com 2012-10-16T22:29:54+00:00 c70fc22aa9f442379b1f64e863b8adf8da2356e8 commit 675d66b0ed5fd170d6a44cf8dbb3fa56a5347bdb upstream. If a thread or process exited while a reply, one-way transaction or death notification was pending, the struct holding the pending work was leaked. Signed-off-by: Arve Hjønnevåg <arve@android.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit 675d66b0ed5fd170d6a44cf8dbb3fa56a5347bdb upstream.

If a thread or process exited while a reply, one-way transaction or
death notification was pending, the struct holding the pending work
was leaked.

Signed-off-by: Arve Hjønnevåg <arve@android.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Merge branch 'x86-x32-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2012-03-30T01:12:23+00:00 Linus Torvalds torvalds@linux-foundation.org 2012-03-30T01:12:23+00:00 a591afc01d9e48affbacb365558a31e53c85af45 Pull x32 support for x86-64 from Ingo Molnar: "This tree introduces the X32 binary format and execution mode for x86: 32-bit data space binaries using 64-bit instructions and 64-bit kernel syscalls. This allows applications whose working set fits into a 32 bits address space to make use of 64-bit instructions while using a 32-bit address space with shorter pointers, more compressed data structures, etc." Fix up trivial context conflicts in arch/x86/{Kconfig,vdso/vma.c} * 'x86-x32-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: (71 commits) x32: Fix alignment fail in struct compat_siginfo x32: Fix stupid ia32/x32 inversion in the siginfo format x32: Add ptrace for x32 x32: Switch to a 64-bit clock_t x32: Provide separate is_ia32_task() and is_x32_task() predicates x86, mtrr: Use explicit sizing and padding for the 64-bit ioctls x86/x32: Fix the binutils auto-detect x32: Warn and disable rather than error if binutils too old x32: Only clear TIF_X32 flag once x32: Make sure TS_COMPAT is cleared for x32 tasks fs: Remove missed ->fds_bits from cessation use of fd_set structs internally fs: Fix close_on_exec pointer in alloc_fdtable x32: Drop non-__vdso weak symbols from the x32 VDSO x32: Fix coding style violations in the x32 VDSO code x32: Add x32 VDSO support x32: Allow x32 to be configured x32: If configured, add x32 system calls to system call tables x32: Handle process creation x32: Signal-related system calls x86: Add #ifdef CONFIG_COMPAT to <asm/sys_ia32.h> ... 
Pull x32 support for x86-64 from Ingo Molnar:
 "This tree introduces the X32 binary format and execution mode for x86:
  32-bit data space binaries using 64-bit instructions and 64-bit kernel
  syscalls.

  This allows applications whose working set fits into a 32 bits address
  space to make use of 64-bit instructions while using a 32-bit address
  space with shorter pointers, more compressed data structures, etc."

Fix up trivial context conflicts in arch/x86/{Kconfig,vdso/vma.c}

* 'x86-x32-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: (71 commits)
  x32: Fix alignment fail in struct compat_siginfo
  x32: Fix stupid ia32/x32 inversion in the siginfo format
  x32: Add ptrace for x32
  x32: Switch to a 64-bit clock_t
  x32: Provide separate is_ia32_task() and is_x32_task() predicates
  x86, mtrr: Use explicit sizing and padding for the 64-bit ioctls
  x86/x32: Fix the binutils auto-detect
  x32: Warn and disable rather than error if binutils too old
  x32: Only clear TIF_X32 flag once
  x32: Make sure TS_COMPAT is cleared for x32 tasks
  fs: Remove missed ->fds_bits from cessation use of fd_set structs internally
  fs: Fix close_on_exec pointer in alloc_fdtable
  x32: Drop non-__vdso weak symbols from the x32 VDSO
  x32: Fix coding style violations in the x32 VDSO code
  x32: Add x32 VDSO support
  x32: Allow x32 to be configured
  x32: If configured, add x32 system calls to system call tables
  x32: Handle process creation
  x32: Signal-related system calls
  x86: Add #ifdef CONFIG_COMPAT to <asm/sys_ia32.h>
  ...
Staging: android: binder: Fix use-after-free bug 2012-03-09T21:14:08+00:00 Arve Hjønnevåg arve@android.com 2012-03-08T23:43:36+00:00 2a90957f2cfc2bf0b705a62a97830cf0d42a5a40 binder_update_page_range could read freed memory if the vma of the selected process was freed right before the check that the vma belongs to the mm struct it just locked. If the vm_mm pointer in that freed vma struct had also been rewritten with a value that matched the locked mm struct, then the code would proceed and possibly modify the freed vma. Signed-off-by: Arve Hjønnevåg <arve@android.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
binder_update_page_range could read freed memory if the vma of the
selected process was freed right before the check that the vma
belongs to the mm struct it just locked.

If the vm_mm pointer in that freed vma struct had also been rewritten
with a value that matched the locked mm struct, then the code would
proceed and possibly modify the freed vma.

Signed-off-by: Arve Hjønnevåg <arve@android.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Staging:android: Change type for binder_debug_no_lock switch to bool 2012-03-07T21:18:51+00:00 Zhengwang Ruan ruan.zhengwang@gmail.com 2012-03-07T02:36:57+00:00 2c52325ed2984069f893040f6139f0024e7d3b50 GCC warns that module_param_named() indirectly returns a bool type value which is different from 'int' type binder_debug_no_lock declared. Change it to bool because it is a internal switch for debugging. Signed-off-by: Zhengwang Ruan <ruan.zhengwang@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
GCC warns that module_param_named() indirectly returns a bool type value
which is different from 'int' type binder_debug_no_lock declared. Change
it to bool because it is a internal switch for debugging.

Signed-off-by: Zhengwang Ruan <ruan.zhengwang@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
fs: Remove missed ->fds_bits from cessation use of fd_set structs internally 2012-02-24T13:04:50+00:00 David Howells dhowells@redhat.com 2012-02-24T10:57:07+00:00 189017c25c8497760c89646c06297c37d6cde072 Stephen Rothwell reported that the following commit broke the linux-next build: 1fd36adcd98c: Replace the fd_sets in struct fdtable with an array of unsigned longs Fix places where ->fds_bits needed to be removed as the core kernel no longer uses fd_set internally for file descriptor table management. There are two places: (1) drivers/staging/android/binder.c (2) arch/mips/kernel/kspd.c Question: Should sp_cleanup() in the MIPS arch be using find_next_bit() or fls()? Reported-by: Stephen Rothwell <sfr@canb.auug.org.au> Signed-off-by: David Howells <dhowells@redhat.com> cc: Ralf Bächle <ralf@linux-mips.org> cc: Arve Hjønnevåg <arve@android.com> Link: http://lkml.kernel.org/r/20120224105707.32170.11550.stgit@warthog.procyon.org.uk Signed-off-by: Ingo Molnar <mingo@elte.hu> 
Stephen Rothwell reported that the following commit broke the
linux-next build:

  1fd36adcd98c: Replace the fd_sets in struct fdtable with an array of unsigned longs

Fix places where ->fds_bits needed to be removed as the core
kernel no longer uses fd_set internally for file descriptor
table management.  There are two places:

 (1) drivers/staging/android/binder.c

 (2) arch/mips/kernel/kspd.c

     Question: Should sp_cleanup() in the MIPS arch be using find_next_bit()
     or fls()?

Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Ralf Bächle <ralf@linux-mips.org>
cc: Arve Hjønnevåg <arve@android.com>
Link: http://lkml.kernel.org/r/20120224105707.32170.11550.stgit@warthog.procyon.org.uk
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Wrap accesses to the fd_sets in struct fdtable 2012-02-19T18:30:52+00:00 David Howells dhowells@redhat.com 2012-02-16T17:49:42+00:00 1dce27c5aa6770e9d195f2bb7db1db3d4dde5591 Wrap accesses to the fd_sets in struct fdtable (for recording open files and close-on-exec flags) so that we can move away from using fd_sets since we abuse the fd_set structs by not allocating the full-sized structure under normal circumstances and by non-core code looking at the internals of the fd_sets. The first abuse means that use of FD_ZERO() on these fd_sets is not permitted, since that cannot be told about their abnormal lengths. This introduces six wrapper functions for setting, clearing and testing close-on-exec flags and fd-is-open flags: void __set_close_on_exec(int fd, struct fdtable *fdt); void __clear_close_on_exec(int fd, struct fdtable *fdt); bool close_on_exec(int fd, const struct fdtable *fdt); void __set_open_fd(int fd, struct fdtable *fdt); void __clear_open_fd(int fd, struct fdtable *fdt); bool fd_is_open(int fd, const struct fdtable *fdt); Note that I've prepended '__' to the names of the set/clear functions because they require the caller to hold a lock to use them. Note also that I haven't added wrappers for looking behind the scenes at the the array. Possibly that should exist too. Signed-off-by: David Howells <dhowells@redhat.com> Link: http://lkml.kernel.org/r/20120216174942.23314.1364.stgit@warthog.procyon.org.uk Signed-off-by: H. Peter Anvin <hpa@zytor.com> Cc: Al Viro <viro@zeniv.linux.org.uk> 
Wrap accesses to the fd_sets in struct fdtable (for recording open files and
close-on-exec flags) so that we can move away from using fd_sets since we
abuse the fd_set structs by not allocating the full-sized structure under
normal circumstances and by non-core code looking at the internals of the
fd_sets.

The first abuse means that use of FD_ZERO() on these fd_sets is not permitted,
since that cannot be told about their abnormal lengths.

This introduces six wrapper functions for setting, clearing and testing
close-on-exec flags and fd-is-open flags:

	void __set_close_on_exec(int fd, struct fdtable *fdt);
	void __clear_close_on_exec(int fd, struct fdtable *fdt);
	bool close_on_exec(int fd, const struct fdtable *fdt);
	void __set_open_fd(int fd, struct fdtable *fdt);
	void __clear_open_fd(int fd, struct fdtable *fdt);
	bool fd_is_open(int fd, const struct fdtable *fdt);

Note that I've prepended '__' to the names of the set/clear functions because
they require the caller to hold a lock to use them.

Note also that I haven't added wrappers for looking behind the scenes at the
the array.  Possibly that should exist too.

Signed-off-by: David Howells <dhowells@redhat.com>
Link: http://lkml.kernel.org/r/20120216174942.23314.1364.stgit@warthog.procyon.org.uk
Signed-off-by: H. Peter Anvin <hpa@zytor.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Merge tag 'staging-3.3-rc3' into staging-next 2012-02-10T18:58:25+00:00 Greg Kroah-Hartman gregkh@linuxfoundation.org 2012-02-10T18:58:25+00:00 b91867f2ee5c84b550f95ce54c91b180f70f48cb This was done to resolve some merge issues with the following files that had changed in both branches: drivers/staging/rtl8712/rtl871x_sta_mgt.c drivers/staging/tidspbridge/rmgr/drv_interface.c drivers/staging/zcache/zcache-main.c Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
This was done to resolve some merge issues with the following files that
had changed in both branches:
	drivers/staging/rtl8712/rtl871x_sta_mgt.c
	drivers/staging/tidspbridge/rmgr/drv_interface.c
	drivers/staging/zcache/zcache-main.c

Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers:staging:android Typos: fix some comments that have typos in them. 2012-02-09T00:47:50+00:00 Justin P. Mattock justinmattock@gmail.com 2012-01-12T14:51:31+00:00 217218f002a669905701cc0baa18a8d6ba1d5e21 Below is a patch that fixes some typos in some comments. Signed-off-by: Justin P. Mattock <justinmattock@gmail.com> Cc: Randy Dunlap <rdunlap@xenotime.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
Below is a patch that fixes some typos in some comments.

Signed-off-by: Justin P. Mattock <justinmattock@gmail.com>
Cc: Randy Dunlap <rdunlap@xenotime.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Staging: android: binder: Fix crashes when sharing a binder file between processes 2012-02-08T22:14:13+00:00 Arve Hjønnevåg arve@android.com 2012-02-01T23:29:13+00:00 bd1eff9741af27378b241b347041c724bb28e857 Opening the binder driver and sharing the file returned with other processes (e.g. by calling fork) can crash the kernel. Prevent these crashes with the following changes: - Add a mutex to protect against two processes mmapping the same binder_proc. - After locking mmap_sem, check that the vma we want to access (still) points to the same mm_struct. - Use proc->tsk instead of current to get the files struct since this is where we get the rlimit from. Signed-off-by: Arve Hjønnevåg <arve@android.com> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
Opening the binder driver and sharing the file returned with
other processes (e.g. by calling fork) can crash the kernel.
Prevent these crashes with the following changes:
- Add a mutex to protect against two processes mmapping the
  same binder_proc.
- After locking mmap_sem, check that the vma we want to access
  (still) points to the same mm_struct.
- Use proc->tsk instead of current to get the files struct since
  this is where we get the rlimit from.

Signed-off-by: Arve Hjønnevåg <arve@android.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>